Bug: Blocked users can edit their profile, and cannot (easily) be prevented by a filter

Question

I thought I reported this a while back, but can't find the question now. Anyway this is still happening.

If a user is blocked and/or their IP address blocked, they can still edit their profile.

This means spam users can come back and continue to spam, or "disgruntled" blocked users can post abuse there. Perhaps there are legitimate reasons for allowing this, but putting stuff in your profile is essentially the same as posting on the site proper, so IMO it doesn't make sense to allow this (at least by default).

A secondary issue is that it's not feasible to prevent this via filters. In the filter_profile function, you can check if the current user is blocked, but there is no way to return a global error, only one error per field. I had this code:

if ( !($userflags & QA_USER_FLAGS_EMAIL_CONFIRMED) )
     $errors[4] = 'Must confirm email to edit profile.';

But it only blocks editing of that specific field - editing a different field works. It's not really feasible to return errors for every single field every time.

Can we get this fixed soon?

Comments

There is also this semi-related issue: http://question2answer.org/qa/27521/why-moderation-when-user-reshows-his-question-comment-answer

Answer 1

I will look into this for 1.6.3. In the meantime you can either add the error to every field in $profile in filter_profile(...) or else just block an HTTP POST on the user profile page if the user is block, using init_page(...) in a  process module.

Comments

OK thanks. I'd already changed my code to mark every field, for anyone else here is my code:

// get user profile fields
$userfields = qa_db_select_with_pending( qa_db_userfields_selectspec() );

// check if banned
if ( qa_user_permit_error() !== false )
{
  foreach ( $userfields as $f )
    $errors[$f['fieldid']] = 'Sorry, you are not allowed to edit your profile.';
  return null;
}

---

OK, this has been addressed and will be rolled into Q2A 1.6.3.